Auto Preview and File-based Attacks

Modern operating systems contain a feature to give previews of content in files without opening them. So as you browse through a folder, you’ll see the layout of your office documents, thumbnails of your pictures, and the opening screen of your videos. In usability terms, this is a great feature for some — documents are easily found if they have distinguishing characteristics that are obvious from the front page.Unfortunately, in order to provide this functionality, the documents are processed by the operating system and potentially will expose users to security vulnerabilities. At the end of May, Microsoft disclosed a vulnerability in DirectShow, and at the beginning of June Apple updated QuickTime for a number of security vulnerabilities. In the wake of these releases, I’ve prepared a quick tip about an easy, complementary hardening step that can take away some automation from an attacker’s arsenal.A Surge in File-based AttacksTake for example MS05-024, a vulnerability in Windows Explorer’s Web View, described in IntelliShield alert 9091. If an attacker can convince a user to preview a document, then they can exploit the user’s system. One potential exposure could involve planting a malicious file on a shared drive. Any user browsing that share with Web View would be compromised. MS05-024 is 4 years old, but file-based flaws are very popular these days, particularly for multimedia files and those considered “safe” by users, like PDFs and office documents.At the start of this year, Adobe was heavily targeted by security researchers and miscreants, and several PDF vulnerabilities were disclosed. According to researchers from SourceFire, the flaw affected not only Adobe Acrobat and Adobe Reader, but OS X Preview, FoxIt, and others. If any of these readers exposed their vulnerable methods through an icon preview feature in the operating system, then the risk increased for end users.Adding Layered Security Against Preview-based AttacksClearly, icon preview modes will not make or break end-user security. If a user can be convinced to open a file, then the flaw can still be exploited. However, in some cases it is fairly trivial for a remote attacker to convince a user to download a file to their desktop or default download directory, or for an insider to place it in a location other users might browse, like a shared network drive. Disabling auto-preview features may keep more users safe and remove a more automated or unintentional attack vector for attackers. Doing so may provide an additional layer of security at little cost, namely some user convenience.On Windows, it is possible to use the Registry, either directly or through Group Policy, to disable these features. On Mac OS X it is possible to do this by unchecking the “Show Icon Preview” feature in the Finder. A nice benefit of taking this security step is that file browsing, especially across network shares, could see a performance boost.As attackers continue to turn to multimedia and file-based flaws, this small layer of security might slow down the spread of malicious code. While other options like Cisco Security Agent, Cisco IPS, and regularly patching systems against flaws may be more complete solutions, administrators should not discount the effectiveness of built-in capabilities to help them out.For further information on vulnerabilities, and how Cisco can help secure your network, check out the Cisco Event Responses that coordinate Cisco security collateral with major security events.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.